PCI DSS 4.0 and Penetration Testing: What’s New and What You Must Do Before Your Next Audit

Summary

  • PCI DSS 4.0 (and 4.0.1) keeps annual internal and external pentests after significant changes.
  • v4.0 adds clearer expectations such as retaining results for 12 months and using PCI’s approach to address exploitable findings.
  • BreachLock supports continuous, comprehensive pentesting with platform-driven, real-time insights to speed remediation and reduce TCO.

Key Terms

  • Payment Card Industry Data Security Standard (PCI DSS): Developed by the PCI Security Standards Council, PCI DSS sets security requirements for any organization that stores, processes, or transmits payment card data, including merchants, service providers, and financial institutions.
  • Cardholder Data Environment (CDE): The people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data (SAD) and any connected systems that can impact their security.

Meeting PCI DSS 4.0 Audit Requirements

The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory global security standard designed to protect the integrity of sensitive credit and debit card data. To comply with its latest iteration (v4.0*), organizations must ensure that this data is stored, processed, and transmitted securely. In doing so, they can protect consumers and themselves from theft, compromise, and fraud, and build greater trust in the payment ecosystem.

To achieve these objectives, they must establish strong security controls aligned with PCI DSS requirements. PCI DSS penetration testing provides an effective starting point for this effort.

* The latest iteration (as of February 2026) is v4.0.1. However, this version only makes minor changes to v4.0 and the primary requirements remain unchanged from v4.0.

PCI DSS v4.0 Requirements: What’s New from v3.2.1

The PCI DSS framework applies to all organizations that accept, handle, or store cardholder data from any of the five major card companies. To comply with the standard, organizations must satisfy all its technical and operational requirements. These requirements have evolved over the years through its various iterations.

The latest version v4.0 was released in March 2022. It completely replaced the previous version (v3.2.1) in March 2024.

PCI DSS v4.0 differs from v3.2.1 in several ways.

For one, v4.0 supports a flexible and customized implementation approach, so organizations can freely choose their strategy and technologies to meet their compliance obligations.

The new version also broadens the scope of vulnerability management. Where v3.2.1 only required critical and high-risk vulnerabilities to be addressed; v4.0 mandates that all vulnerabilities must be fixed. It also requires prioritization of the most critical flaws.

Another key change in v4.0 is increased focus on malware protection, data encryption, and user authentication. Entities must perform targeted risk analyses to determine the frequency of periodic malware scans and scan all in-use removable devices with malware detection software. They must also:

  • Assign and manage application and system accounts, and related access privileges
  • Implement MFA to ensure secure access to the cardholder environment (CDE)
  • Protect passwords/passphrases against misuse
  • Encrypt electronically stored sensitive authentication data (SAD) prior to authorization

PCI DSS v4.0 also emphasizes cybersecurity awareness training. The training must include awareness of threats that could impact the security of the Cardholder Data Environment (CDE) and clarify the acceptable use of end-user technologies. Additionally, the training program must be reviewed and updated at least once every 12 months.

How Penetration Testing Enables Compliance with PCI DSS 4.0

Now that PCI DSS v4.0 is fully in effect, merchants and service providers must satisfy its requirements. Compliance failures can be very costly. At the very least, they could face fines of $5,000 to $10,000 per month for the first 3 months of non-compliance. As the non-compliance period increases, the fines increase as well.

PCI DSS non-compliance also means that the organization has weak security controls, which increases the risk of data breaches. In 2025, the financial sector had the second-highest average breach cost of $5.56 million.1 This hefty figure reiterates the need for minimizing breach risk. And the most effective way to do this is by fully implementing all the security measures mandated by PCI DSS v4.0.

Fortunately, organizations can leverage penetration testing as a useful method to implement these measures and achieve PCI DSS compliance. It’s important to conduct pentesting before your next audit for two key reasons:

1. To strengthen your security defenses

Pentesting enables organizations to validate that their security mechanisms work, not just in theory, but against real-world threat groups and attack scenarios. It also verifies that these measures cannot be bypassed, thus helping to strengthen security, while also easing the path to compliance.

Pentests also demonstrate whether vulnerabilities in the CDE can actually be exploited to access cardholder data. This enables defenders to understand the actual impact of a vulnerability and use these insights to prioritize and implement proactive remediations.

2. To comply with PCI DSS v4.0

Conducting pentests enables organizations to directly fulfill and demonstrate PCI DSS compliance. One of the 12 goals of PCI DSS is to “regularly monitor and test networks”. To achieve this goal, organizations are required to “regularly test security systems and processes”.

Enter PCI DSS penetration-testing.

PCI DSS v3.2.1 required all organizations to conduct both internal and external pentesting at least annually and after any significant upgrade or modification (Requirement 11.3). Companies also must perform annual pentests to verify the effectiveness of their segmentation controls. Additionally, service providers must perform pentests on their segmentation controls at least every six months and after modifying these controls.

These requirements remain in place in PCI DSS v4.0, making pentesting crucial for achieving v4.0 compliance. This version clarifies the difference between internal and external pentesting. It also includes these additional requirements:

  • Maintain pentesting results for at least 12 months
  • Use PCI’s documented approach to assess and address the risk of exploitable vulnerabilities found during pentesting

Furthermore, v4.0 requires service providers to implement pentesting once every six months to confirm the effectiveness of the logical separation controls that separate customer environments (Requirement A1.1.4). They must also support their customers for external pentesting (Requirement 11.4.7).

Strengthen Defenses and Ease PCI DSS v4.0 Compliance with BreachLock Penetration Testing

PCI DSS 4.0 emphasizes continuous monitoring of enterprise environments as well as ongoing validation of enterprise security infrastructure. Here’s where BreachLock’s penetration testing delivers measurable value.

BreachLock offers continuous, comprehensive PCI DSS penetration-testing to help you strengthen your defenses and to fulfill your PCI DSS compliance. BreachLock Unified Platform provides contextual, real-time insights to enhance threat visibility and drive faster remediation. This integrated platform minimizes the need for multiple point solutions and costly expertise, so you can reduce your pentesting TCO by 50% or more.

With BreachLock PCI DSS pentesting, you can satisfy all the requirements of v4.0 and maintain a strong compliance posture. Contact us to schedule a discovery call and get ahead of your compliance requirements.

References

1. IBM (2025). Cost of a Data Breach Report 2025. https://www.ibm.com/reports/data-breach

Author

BreachLock Labs

BreachLock Labs

Industry recognitions we have earned

Reuters logo Top logo Forbes logo GigaOm logo Global logo Bloomberg logo Globee logo

Fill out the form below to let us know your requirements.
We will contact you to determine if BreachLock is right for your business or organization.

background image